Getting Data In

Can a Search Head be an Indexer as well in a distributed search environment?

psutton_et
Explorer

I have 2 Splunk Test Servers. I had one as an indexer and one as the search Head. But, we are needing to restore a single index=restoredb from our production instance to this test env. We have 2 indexers in our Production servers, so I have made both Test Servers indexers with one of those 2 being a search head still. I'm a little confused how to setup distributed searching? When I try and add the search head/indexer it says 'Duplicate Servername'. I'm not sure if this means that the search will automatically look on the search head and then the other indexer?

Our Production Indexers are not clustered. So the data from both needs to be restored to different place to look at all the data.

0 Karma
1 Solution

jdunlea
Contributor

Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.

You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)

As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.

Hope this helps!

View solution in original post

ppablo
Retired

Hi @psutton_et

You can set up a search head as a search peer as stated here in documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Overviewofconfiguration#Deploy_non-dedi...

You would need to just add the other indexer server as a search peer to the dual-purpose search head/indexer server:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Configuredistributedsearch

Have you tested any searches to see if they return any data specifically from the dual search head/indexer?

0 Karma

jdunlea
Contributor

Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.

You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)

As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.

Hope this helps!

psutton_et
Explorer

Thanks for the response. We did restore the just an individual index on the 2 test servers and we were able to restore the data we needed.

psutton_et
Explorer

We are still waiting for the restores to complete. As soon as they do, I will try.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...